ACL troubleshooting reference

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of ACL Troubleshooting Reference

    The ACL troubleshooting reference provides guidance for identifying and resolving Access Control List (ACL) rule errors. It emphasizes the use of debugging tools to address ACL-related issues effectively, ensuring proper access control in ServiceNow environments.

    Show full answer Show less

    Key Features

    • Access Analyzer: A diagnostic tool that allows administrators to view permissions for specific users, roles, or groups. It helps in identifying overly permissive configurations and supports maintaining least-privilege access principles.
    • Debugging Capabilities: Enabling debugging assists in pinpointing ACL rule evaluations, which is crucial for troubleshooting access issues.

    Key Outcomes

    ServiceNow customers can expect to resolve common access issues through the following troubleshooting steps:

    • If access to custom table records is denied, create a table ACL rule for that table, as users typically require explicit rules to gain access.
    • For custom ACL rules that aren’t functioning, check for precedence issues or unmet permission requirements.
    • Field ACL issues may arise from conflicting table ACL rules; debugging can help identify the root cause.
    • To address discrepancies between field visibility in lists versus forms, ensure consistent rule conditions or scripts are applied.
    • If error messages occur during processor or client-callable script execution, verify the applicable ACL rules and adjust user access as needed.

    ACL troubleshooting includes identifying ACL rule errors and use the debugging tools to fix the ACL related problems.

    Access analyzer

    Access analyzer helps the administrators to view permissions for the selected user, role, or group. It is a diagnostic security tool that provides comprehensive visibility into resource permissions and access controls at the Access Control List (ACL) level, enabling you to understand who has access to their resources, identify overly permissive configurations, and maintain least-privilege access principles. To learn more about how to use the tool, see Access Analyzer.

    Enable debugging

    Enable debugging to help troubleshoot an issue.

    Table 1. Troubleshoot
    Error or symptom Solution
    You cannot access records from a custom table. Create a table ACL rule for the custom table granting users access to the table. Without an explicit table ACL rule, users must pass the permissions in the table wildcard (*) ACL rule, which by default restricts access to administrators only. Enable debugging and determine what ACL rules are evaluated for the custom table.
    You create a custom ACL rule that does not work properly. The most likely problems are that another rule takes precedence over your custom rule in the processing order or that the user does not meet all the permission requirements for the object type. Enable debugging and verify that the ACL rule is being evaluated.
    Your field ACL rule does not work properly. There is likely a table ACL rule that the user has not met. Enable debugging and determine what ACL rules are evaluated for the field. Verify that there is not a conflicting table ACL rule or duplicate field ACL rule.
    Your table ACL rule does not work properly. There is either an ACL rule higher in the processing order or a duplicate table ACL rule interfering with the table ACL rule. Enable debugging and determine what ACL rules are evaluated for the table.
    You can see a field in a list but not in form. It is possible that the ACL rule conditions or script are being triggered in the list but not in the form. Enable debugging and determine when the ACL rules evaluate to true. Update the conditions or script to have the same behavior on the list and form.
    You receive an error message when trying to execute a processor or client-callable script include. There is an ACL rule for the processor or client-callable script include that the user has not met. If the user should have access to the object, enable debugging and determine what ACL rules are evaluated for the processor or script include. Update the ACL rule or the user roles as needed to access the object.